ResourceMapper.getResource may throw exceptions of type ResourceMapperError but AsertoAuthorizationManager.check doesn't handle those errors. The result is a 500 response.
With this proposed change, the AsertoAuthorizationManager catches the ResourceMapperError, logs it, and returns AuthorizationDecision(false) to deny access.
The ideal outcome when a request is made to a path that matches no routes would be a 404, but the authorization manager has no definitive way of determining the underlying cause of the ResourceMapperError and even if it did, @PreAuthorize requires a boolean value so the only viable options are to either allow or deny the call.
Proposed fix for https://github.com/aserto-dev/aserto-spring/issues/11.
ResourceMapper.getResourcemay throw exceptions of typeResourceMapperErrorbutAsertoAuthorizationManager.checkdoesn't handle those errors. The result is a 500 response.With this proposed change, the
AsertoAuthorizationManagercatches theResourceMapperError, logs it, and returnsAuthorizationDecision(false)to deny access.The ideal outcome when a request is made to a path that matches no routes would be a 404, but the authorization manager has no definitive way of determining the underlying cause of the
ResourceMapperErrorand even if it did,@PreAuthorizerequires a boolean value so the only viable options are to either allow or deny the call.